Separating the Signal from the Noise

Time is money.
Analysts have precious little of it.

Both people and machines are taxed to the limits in ingesting huge volumes of data. The mean time to detect an attack for many enterprises lingers between two days to a week.* Learn how analysts can save time by leveraging McAfee Security Operations solutions to focus on what matters the most and make the best use of automation, human-machine teaming, and other advanced analytics.

Introduction

Storyline

An alarm is triggered, indicating that the behavior of Joshua Newman, a trusted employee, has exceeded normal thresholds. Investigation will reveal that the employee has executed a suspicious file, that happens to be a zero-day malware, into the network, resulting in large amounts of data being accessed and sent to suspicious external IP addresses.

Instructions

As a security analyst, you must review the given information and decide how to investigate and respond to the incident. You must do so quickly as the clock is ticking. Test your skills to see if you can select the best signals for investigation.

Security analysts deal with multiple security alerts that may challenge them to determine what needs to be attended to first, making it difficult to identify a real threat. The following is a dashboard that a typical analyst may find at the start of the day, using McAfee’s SIEM solution, the McAfee Enterprise Security Manager.

Decision point:

You received an alert concerning an elevated user risk score. What would be the suggested starting point for further investigation within the McAfee Enterprise Security Manager dashboard?

A. Device Type Summary

B. Average Event Severity

C. Event Distribution

D. Event Source Users

E. Advanced Search

The correct response is B.

The Average Event Severity window tells you what events to prioritize given the assigned risk scores. This helps you save time and focus on the most pressing events.

You pivot into McAfee Behavioral Analytics, a user and entity behavior analytics solution, to gain insight into user behavior. You notice one user, Joshua Newman, as the source for this alert and see the top five riskiest users in the network. While insider threats can be a blind spot for existing security programs, McAfee Behavioral Analytics detects and provides visuals of insider behavior, threats, and attacks.

Decision point:

What is the suggested action to take next?

A. Investigate the activities that increased Joshua’s risk score

B. Investigate the 4 other riskiest users to see if they were connected with this incident

Correct answer is A.

This will identify the unusual activities responsible for raising Joshua’s risk score and contextual events to further the investigation.

You pivot back to McAfee Enterprise Security Manager and right click on Joshua’s name to summarize all of the contextual events related to this incident. You see a detected malware event and file with a tempting title called Corporate Payroll SENSITIVE. In reality, that file is a zero-day threat with a weaponized payload.(hover over the highlighted areas to see more)

To quickly gather evidence, you pivot to and leverage McAfee’s guided investigation capabilities. You are shown specific questions to investigate, based on known evidence, and given answers to those questions to work more quickly. There, you discover that Joshua’s workstation has been communicating with malicious IP addresses. You also see the processes running from his workstation.(hover over the highlighted areas to see more)

Decision point

To efficiently handle the incident, what is the suggested action to take next?

A. Block all inbound and outbound communications with the external domains associated with this incident

B. Identify the file hash of the zero-day threat that was implanted by Joshua for backtracking

C. Add Joshua to the watchlist for further monitoring

D. All of the above

The correct answer is D.

By blocking the inbound and outbound communications with external domains associated with the incident, you prevent future attacks from a domain with a known bad reputation. By identifying the file hash of the zero-day threat, you can enable the backtracing feature in the Enterprise Security Manager to tell you if any other workstations in your network have been exposed to the same threat. Finally, by adding Joshua to the watchlist, you make it easier to monitor suspicious activities from Joshua in the future.

In this incident investigation and response exercise, you utilized McAfee Enterprise Security Manager to oversee the events impacting your organization and then quickly honed in on the events with the highest severity. Since the highest severity event concerned a user that had exceeded his risk threshold, you pivoted into McAfee Behavior Analytics to compare his behavior against those of his past, peer group, and organization. You confirmed that his behavior had changed drastically over the past two days and that his activities suggested data exfiltration. Within the McAfee Enterprise Security Manager console, you summarized the contextual events related to the incident and confirmed that the user’s workstation was hit with a zero-day malware. With McAfee’s guided investigation capabilities, you leveraged human-machine teaming to identify the suspicious activities connected to the infected workstation and took corrective actions to respond to the incident.

Results

Please complete this form to receive your score and completion time via email.

*

*

*

*

By providing your contact information, you are confirming you are an adult 18 years or older and you authorize McAfee to contact you by email or telephone with information about McAfee products, events, and updates. You may unsubscribe at any time by clicking the link provided in our communications. Please review our Privacy Notice for more information.

*McAfee technologies' features and benefits depend on system configuration and may require enabled hardware, software or service activation. Demos document performance of components on a particular test, in specific systems. Differences in hardware, software, or configuration will affect actual performance. Consult other sources of information to evaluate performance as you consider your purchase. Cost and time reduction scenarios described are intended as examples of how a given McAfee product, in the specified circumstances and configurations, may affect future costs and provide cost and time savings. Circumstances and results will vary. McAfee does not guarantee any cost of cost reduction. No computer system can be absolutely secure.